Alberto, with the current major release of SEC, only constant values are supported as threshold values for thresholding rules. One reason for this is that each thresholding rule could start many event correlation operations that do the event counting. If the threshold value is a variable, it is unclear how changes to this variable should influence active operations. It would also be difficult to implement it, since each assignment to a variable would trigger a check of event correlation operations that do counting. BR, risto
> From: Alberto Losada <alos...@s21sec.com> > Subject: [Simple-evcorr-users] Thresh options > To: simple-evcorr-users@lists.sourceforge.net > Date: Thursday, June 4, 2009, 8:32 PM > Hello *, > > I am trying to assign a changing thresh value to a > SingleWithThreshold > context. This thresh value is obtained by means of a shell > script and > passed to the final context,which is the responsible of > counting the > events, by means of a global assign (assign %a). I've > realized that sec > complains every time I try to start it: "Rule in > conf/prueba.sec at > line 19: Invalid threshold ' $1 ' and Rule in > conf/prueba.sec at line > 19: Invalid threshold ' %a '" > > Is there a way to assign a value by means of a variable or > something > similar to thresh option instead of write the number by > hand? > > type = Single > ptype = regexp > pattern = foo > desc= $0 > action= spawn (shellscript.sh) > > type=Single > ptype=RegExp > pattern=2009-06-04 00\:00\:00\.0 GMT\+02\:00 (.+) > desc=$0 > action= assign %a $1; create context_manyana 3600 > > type=SingleWithThreshold > ptype=RegExp > pattern= test (.+) > desc=contando eventos de manyana > context= context_manyana > action= write - envia correo ya! > thresh=%a > window=30 > > Thanks in advance. > > Alberto Losada > > > ------------------------------------------------------------------------------ > OpenSolaris 2009.06 is a cutting edge operating system for > enterprises > looking to deploy the next generation of Solaris that > includes the latest > innovations from Sun and the OpenSource community. Download > a copy and > enjoy capabilities such as Networking, Storage and > Virtualization. > Go to: http://p.sf.net/sfu/opensolaris-get > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
